View Javadoc
1   /**
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements. See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership. The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License. You may obtain a copy of the License at
9    *
10   * http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied. See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.apache.wss4j.policy.stax.test;
20  
21  import org.apache.wss4j.common.ext.WSSecurityException;
22  import org.apache.wss4j.policy.stax.enforcer.PolicyEnforcer;
23  import org.apache.wss4j.stax.ext.WSSConstants;
24  import org.apache.wss4j.stax.securityToken.WSSecurityTokenConstants;
25  import org.apache.wss4j.stax.impl.securityToken.X509SecurityTokenImpl;
26  import org.apache.wss4j.stax.securityEvent.OperationSecurityEvent;
27  import org.apache.wss4j.stax.securityEvent.SignedPartSecurityEvent;
28  import org.apache.wss4j.stax.securityEvent.X509TokenSecurityEvent;
29  import org.apache.xml.security.stax.ext.XMLSecurityConstants;
30  import org.apache.xml.security.stax.securityEvent.ContentEncryptedElementSecurityEvent;
31  import org.apache.xml.security.stax.securityToken.InboundSecurityToken;
32  import org.junit.jupiter.api.Test;
33  
34  import javax.xml.namespace.QName;
35  
36  import java.util.LinkedList;
37  import java.util.List;
38  
39  import static org.junit.jupiter.api.Assertions.assertEquals;
40  import static org.junit.jupiter.api.Assertions.fail;
41  
42  public class X509TokenTest extends AbstractPolicyTestBase {
43  
44      @Test
45      public void testPolicy() throws Exception {
46          String policyString =
47                  "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
48                          "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
49                          "<sp:InitiatorToken>\n" +
50                          "   <wsp:Policy>\n" +
51                          "       <sp:X509Token>\n" +
52                          "           <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
53                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
54                          "               <sp:RequireThumbprintReference/>\n" +
55                          "               <sp:WssX509V3Token11/>\n" +
56                          "           </wsp:Policy>\n" +
57                          "       </sp:X509Token>\n" +
58                          "   </wsp:Policy>\n" +
59                          "</sp:InitiatorToken>\n" +
60                          "<sp:RecipientToken>\n" +
61                          "   <wsp:Policy>\n" +
62                          "       <sp:X509Token>\n" +
63                          "           <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
64                          "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
65                          "               <sp:RequireThumbprintReference/>\n" +
66                          "               <sp:WssX509V3Token11/>\n" +
67                          "           </wsp:Policy>\n" +
68                          "       </sp:X509Token>\n" +
69                          "   </wsp:Policy>\n" +
70                          "</sp:RecipientToken>\n" +
71                          "   <sp:AlgorithmSuite>\n" +
72                          "       <wsp:Policy>\n" +
73                          "           <sp:Basic256/>\n" +
74                          "       </wsp:Policy>\n" +
75                          "   </sp:AlgorithmSuite>\n" +
76                          "</wsp:Policy>\n" +
77                          "</sp:AsymmetricBinding>";
78  
79          PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
80          X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
81          X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
82          securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
83          initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
84          policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
85  
86          X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
87          securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
88          securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
89          recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
90          policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
91  
92          List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
93          protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
94          protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
95          SignedPartSecurityEvent signedPartSecurityEvent =
96                  new SignedPartSecurityEvent(
97                          (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
98          signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
99          policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
100 
101         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
102                 new ContentEncryptedElementSecurityEvent(
103                         (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
104         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
105         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
106 
107         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
108         operationSecurityEvent.setOperation(new QName("definitions"));
109         policyEnforcer.registerSecurityEvent(operationSecurityEvent);
110 
111         policyEnforcer.doFinal();
112     }
113 
114     @Test
115     public void testPolicyNegative() throws Exception {
116         String policyString =
117                 "<sp:AsymmetricBinding xmlns:sp=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702\" xmlns:sp3=\"http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200802\">\n" +
118                         "<wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
119                         "<sp:InitiatorToken>\n" +
120                         "   <wsp:Policy>\n" +
121                         "       <sp:X509Token>\n" +
122                         "           <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
123                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
124                         "               <sp:RequireThumbprintReference/>\n" +
125                         "               <sp:WssX509V3Token11/>\n" +
126                         "           </wsp:Policy>\n" +
127                         "       </sp:X509Token>\n" +
128                         "   </wsp:Policy>\n" +
129                         "</sp:InitiatorToken>\n" +
130                         "<sp:RecipientToken>\n" +
131                         "   <wsp:Policy>\n" +
132                         "       <sp:X509Token>\n" +
133                         "           <sp:IssuerName>CN=transmitter,OU=swssf,C=CH</sp:IssuerName>\n" +
134                         "           <wsp:Policy xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\">\n" +
135                         "               <sp:RequireThumbprintReference/>\n" +
136                         "               <sp:WssX509V3Token11/>\n" +
137                         "           </wsp:Policy>\n" +
138                         "       </sp:X509Token>\n" +
139                         "   </wsp:Policy>\n" +
140                         "</sp:RecipientToken>\n" +
141                         "   <sp:AlgorithmSuite>\n" +
142                         "       <wsp:Policy>\n" +
143                         "           <sp:Basic256/>\n" +
144                         "       </wsp:Policy>\n" +
145                         "   </sp:AlgorithmSuite>\n" +
146                         "</wsp:Policy>\n" +
147                         "</sp:AsymmetricBinding>";
148 
149         PolicyEnforcer policyEnforcer = buildAndStartPolicyEngine(policyString);
150         X509TokenSecurityEvent initiatorX509TokenSecurityEvent = new X509TokenSecurityEvent();
151         X509SecurityTokenImpl securityToken = getX509Token(WSSecurityTokenConstants.X509V1Token);
152         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_SIGNATURE);
153         initiatorX509TokenSecurityEvent.setSecurityToken(securityToken);
154         policyEnforcer.registerSecurityEvent(initiatorX509TokenSecurityEvent);
155 
156         X509TokenSecurityEvent recipientX509TokenSecurityEvent = new X509TokenSecurityEvent();
157         securityToken = getX509Token(WSSecurityTokenConstants.X509V3Token);
158         securityToken.addTokenUsage(WSSecurityTokenConstants.TOKENUSAGE_MAIN_ENCRYPTION);
159         recipientX509TokenSecurityEvent.setSecurityToken(securityToken);
160         policyEnforcer.registerSecurityEvent(recipientX509TokenSecurityEvent);
161 
162         List<XMLSecurityConstants.ContentType> protectionOrder = new LinkedList<>();
163         protectionOrder.add(XMLSecurityConstants.ContentType.SIGNATURE);
164         protectionOrder.add(XMLSecurityConstants.ContentType.ENCRYPTION);
165         SignedPartSecurityEvent signedPartSecurityEvent =
166                 new SignedPartSecurityEvent(
167                         (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
168         signedPartSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
169         policyEnforcer.registerSecurityEvent(signedPartSecurityEvent);
170 
171         ContentEncryptedElementSecurityEvent contentEncryptedElementSecurityEvent =
172                 new ContentEncryptedElementSecurityEvent(
173                         (InboundSecurityToken)recipientX509TokenSecurityEvent.getSecurityToken(), true, protectionOrder);
174         contentEncryptedElementSecurityEvent.setElementPath(WSSConstants.SOAP_11_BODY_PATH);
175         policyEnforcer.registerSecurityEvent(contentEncryptedElementSecurityEvent);
176 
177         OperationSecurityEvent operationSecurityEvent = new OperationSecurityEvent();
178         operationSecurityEvent.setOperation(new QName("definitions"));
179 
180         try {
181             policyEnforcer.registerSecurityEvent(operationSecurityEvent);
182             fail("Exception expected");
183         } catch (WSSecurityException e) {
184             assertEquals(e.getMessage(),
185                     "X509Certificate Version 3 mismatch; Policy enforces WssX509V3Token11");
186             assertEquals(e.getFaultCode(), WSSecurityException.INVALID_SECURITY);
187         }
188     }
189 }